What does this bugcheck mean?

Question

I have had a Windows Server 2025 crash 2 weeks ago with the following minidump information:

REFERENCE_BY_POINTER (18)

Arguments:

Arg1: 0000000000000000, Object type of the object whose reference count is being lowered

Arg2: ffffbb0a549130c0, Object whose reference count is being lowered

Arg3: 0000000000000002, Reserved

Arg4: ffffffffffffffff, Reserved

The reference count of an object is illegal for the current state of the object.

Each time a driver uses a pointer to an object the driver calls a kernel routine

to increment the reference count of the object. When the driver is done with the

pointer the driver calls another kernel routine to decrement the reference count.

Drivers must match calls to the increment and decrement routines. This BugCheck

can occur because an object's reference count goes to zero while there are still

open handles to the object, in which case the fourth parameter indicates the number

of opened handles. It may also occur when the object's reference count drops below zero

whether or not there are open handles to the object, and in that case the fourth parameter

contains the actual value of the pointer references count.
```Debugging Details:

------------------

KEY_VALUES_STRING: 1

Key : Analysis.CPU.mSec

Value: 2343

Key : Analysis.Elapsed.mSec

Value: 3511

Key : Analysis.IO.Other.Mb

Value: 0

Key : Analysis.IO.Read.Mb

Value: 0

Key : Analysis.IO.Write.Mb

Value: 0

Key : Analysis.Init.CPU.mSec

Value: 733

Key : Analysis.Init.Elapsed.mSec

Value: 7242

Key : Analysis.Memory.CommitPeak.Mb

Value: 92

Key : Bugcheck.Code.LegacyAPI

Value: 0x18

Key : Failure.Bucket

Value: 0x18_OVER_DEREFERENCE_nt!ObfDereferenceObjectWithTag

Key : Failure.Hash

Value: {4139309c-4e9f-52f0-ac5e-4041e7a86a20}

Key : Hypervisor.Enlightenments.Value

Value: 16756

Key : Hypervisor.Enlightenments.ValueHex

Value: 4174

Key : Hypervisor.Flags.AnyHypervisorPresent

Value: 1

Key : Hypervisor.Flags.ApicEnlightened

Value: 1

Key : Hypervisor.Flags.ApicVirtualizationAvailable

Value: 0

Key : Hypervisor.Flags.AsyncMemoryHint

Value: 0

Key : Hypervisor.Flags.CoreSchedulerRequested

Value: 0

Key : Hypervisor.Flags.CpuManager

Value: 0

Key : Hypervisor.Flags.DeprecateAutoEoi

Value: 0

Key : Hypervisor.Flags.DynamicCpuDisabled

Value: 0

Key : Hypervisor.Flags.Epf

Value: 0

Key : Hypervisor.Flags.ExtendedProcessorMasks

Value: 1

Key : Hypervisor.Flags.HardwareMbecAvailable

Value: 0

Key : Hypervisor.Flags.MaxBankNumber

Value: 0

Key : Hypervisor.Flags.MemoryZeroingControl

Value: 0

Key : Hypervisor.Flags.NoExtendedRangeFlush

Value: 1

Key : Hypervisor.Flags.NoNonArchCoreSharing

Value: 0

Key : Hypervisor.Flags.Phase0InitDone

Value: 1

Key : Hypervisor.Flags.PowerSchedulerQos

Value: 0

Key : Hypervisor.Flags.RootScheduler

Value: 0

Key : Hypervisor.Flags.SynicAvailable

Value: 1

Key : Hypervisor.Flags.UseQpcBias

Value: 0

Key : Hypervisor.Flags.Value

Value: 536745

Key : Hypervisor.Flags.ValueHex

Value: 830a9

Key : Hypervisor.Flags.VpAssistPage

Value: 1

Key : Hypervisor.Flags.VsmAvailable

Value: 0

Key : Hypervisor.RootFlags.AccessStats

Value: 0

Key : Hypervisor.RootFlags.CrashdumpEnlightened

Value: 0

Key : Hypervisor.RootFlags.CreateVirtualProcessor

Value: 0

Key : Hypervisor.RootFlags.DisableHyperthreading

Value: 0

Key : Hypervisor.RootFlags.HostTimelineSync

Value: 0

Key : Hypervisor.RootFlags.HypervisorDebuggingEnabled

Value: 0

Key : Hypervisor.RootFlags.IsHyperV

Value: 0

Key : Hypervisor.RootFlags.LivedumpEnlightened

Value: 0

Key : Hypervisor.RootFlags.MapDeviceInterrupt

Value: 0

Key : Hypervisor.RootFlags.MceEnlightened

Value: 0

Key : Hypervisor.RootFlags.Nested

Value: 0

Key : Hypervisor.RootFlags.StartLogicalProcessor

Value: 0

Key : Hypervisor.RootFlags.Value

Value: 0

Key : Hypervisor.RootFlags.ValueHex

Value: 0

Key : WER.OS.Branch

Value: ge_release

Key : WER.OS.Version

Value: 10.0.26100.1

BUGCHECK_P1: 0

BUGCHECK_P2: ffffbb0a549130c0

BUGCHECK_P3: 2

BUGCHECK_P4: ffffffffffffffff

FILE_IN_CAB:  121525-5562-01.dmp

BLACKBOXBSD: 1 (!blackboxbsd)

BLACKBOXNTFS: 1 (!blackboxntfs)

BLACKBOXPNP: 1 (!blackboxpnp)

BLACKBOXWINLOGON: 1

CUSTOMER_CRASH_COUNT:  1

PROCESS_NAME:  smss.exe

STACK_TEXT:  

fffff60f`c9047258 fffff803`cbcc324a     : 00000000`00000018 00000000`00000000 ffffbb0a`549130c0 00000000`00000002 : nt!KeBugCheckEx

fffff60f`c9047260 fffff803`cc24c099     : 00000000`00000001 00000000`00000000 00000000`00000246 00000000`00000000 : nt!ObfDereferenceObjectWithTag+0x7a

fffff60f`c90472a0 fffff803`cc24a809     : 00000000`00000000 00000000`80000000 00000000`00000090 00000000`00000001 : nt!ObCloseHandleTableEntry+0x3d9

fffff60f`c90473f0 fffff803`cc0b8655     : 00000000`00000000 000001fa`541093f0 ffffbb0a`53db4080 00000000`0000001e : nt!NtClose+0xe9

fffff60f`c9047460 00007ff8`8f082154     : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x25

00000040`685bf478 00000000`00000000     : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x00007ff8`8f082154

SYMBOL_NAME:  nt!ObfDereferenceObjectWithTag+7a

MODULE_NAME: nt

IMAGE_NAME:  ntkrnlmp.exe

IMAGE_VERSION:  10.0.26100.4061

STACK_COMMAND:  .cxr; .ecxr ; kb

BUCKET_ID_FUNC_OFFSET:  7a

FAILURE_BUCKET_ID:  0x18_OVER_DEREFERENCE_nt!ObfDereferenceObjectWithTag

OS_VERSION:  10.0.26100.1

BUILDLAB_STR:  ge_release

OSPLATFORM_TYPE:  x64

OSNAME:  Windows 10

FAILURE_ID_HASH:  {4139309c-4e9f-52f0-ac5e-4041e7a86a20}

Followup:     MachineOwner

How can I find out what is the real cause of this crash?

Answer 1

Hello Ruben Vanlommel, I am Ivy.

Based on the dump analysis, the crash is consistent with a third‑party kernel‑mode driver incorrectly managing object references (BugCheck 0x18 – REFERENCE_BY_POINTER). The crash occurs when Windows detects corruption, not at the point where the issue was introduced, so the faulty driver is not visible in the current dump.

To identify the exact driver, we recommend enabling Driver Verifier and collecting a Kernel memory dump.

Step 1: Configure the system to collect a Kernel memory dump

1. Press Win + R, type sysdm.cpl, and press Enter
2. Go to Advanced → Startup and Recovery → Settings
3. Under Write debugging information, select Kernel memory dump
4. Confirm the dump file path is: %SystemRoot%\MEMORY.DMP
5. Click Apply and OK
6. Ensure a page file exists on the OS drive (System managed size is recommended)

Once this is set, a kernel dump will be created automatically the next time a blue screen occurs.

Step 2: Enable Driver Verifier (non‑Microsoft drivers only)

Please perform this step during a maintenance window, as Driver Verifier may intentionally trigger a crash if it detects a faulty driver.

1. Open Command Prompt as Administrator
2. Run:

verifier

3. Select Create standard settings → Next
4. Select Select driver names from a list → Next
5. Select all non‑Microsoft drivers only
6. Click Finish and reboot the server Please let us know once Driver Verifier is enabled and the server has rebooted.

Step 3: After the next blue screen

When the system crashes again:

• Please collect the following files:
  • C:\Windows\MEMORY.DMP
  • C:\Windows\Minidump\*.dmp (if present)
• Upload the files to OneDrive (if available), or another secure file‑sharing location
• Share the download link with us

Important recovery note (just in case)

If the system fails to boot after enabling Driver Verifier:

1. Boot into Safe Mode
2. Open Command Prompt as Administrator
3. Run:

verifier /reset

4. Reboot the system normally

Hope this can help you. Please let us know once Driver Verifier is enabled or if you need assistance reviewing driver selection before rebooting.

Ivy Bui